nist sp 800-37, revision 1 - security conference, … tier 3 information system (environment of...

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

NIST SP 800-37, Revision 1Applying Risk Management to Information Systems

(Transforming the Certification and Accreditation Process)

Annual Computer Security Applications Conference

December 10, 2009

Dr. Ron Ross

Computer Security Division

Information Technology Laboratory


Introduction

2


A Unified FrameworkFor Information Security

The Generalized Model

Common

Information

Security

Requirements

Unique

Information

Security

Requirements

The “Delta”

National security and non national security information systems

Foundational Set of Information Security Standards and Guidance

• Standardized risk management process

• Standardized security categorization (criticality/sensitivity)

• Standardized security controls (safeguards/countermeasures)

• Standardized security assessment procedures

• Standardized security authorization process

Intelligence

Community

Department

of Defense

Federal Civil

Agencies

Private Sector

State and Local Govt

3


Enterprise-Wide Risk Management

4

TIER 3

Information System(Environment of Operation)

TIER 2

Mission / Business Process(Information Assets and Information Flows)

TIER 1

Organization(Governance)

STRATEGIC RISK

FOCUS

TACTICAL RISK

FOCUS

Multi-tiered Risk Management Approach

Implemented by the Risk Executive Function

Enterprise Architecture and SDLC Focus

Flexible and Agile Implementation

NISTSP 800-39


Risk Management Hierarchy

NISTSP 800-39

Risk Management Strategy

TIER 3

Information System

TIER 2

Mission / Business Process

TIER 1Organization

Risk Executive Function(Oversight and Governance)

Risk Assessment Methodologies

Risk Mitigation Approaches

Risk Tolerance

Risk Monitoring Approaches

Linkage to ISO/IEC 27001

5



NISTSP 800-39

Risk Management Strategy

TIER 3

Information System

TIER 2


TIER 1Organization

Mission / Business Processes

Information Flows

Information Categorization

Information Protection Strategy

Information Security Requirements

Linkage to Enterprise Architecture

6



NISTSP 800-37

TIER 3

Information System

TIER 2


TIER 1Organization

Linkage to SDLC

Information System Categorization

Selection of Security Controls

Security Control Allocationand Implementation

Security Control Assessment

Risk Acceptance

Continuous Monitoring

Risk Management Framework

7


Risk Management Framework

Security Life Cycle

Determine security control effectiveness(i.e., controls implemented correctly,

operating as intended, meeting security requirements for information system).

ASSESSSecurity Controls

Define criticality/sensitivity of information system according to potential worst-case, adverse impact to mission/business.

CATEGORIZE Information System

Starting Point

Continuously track changes to the information system that may affect

security controls and reassess control effectiveness.

MONITORSecurity Controls

AUTHORIZE Information System

Determine risk to organizational operations and assets, individuals,

other organizations, and the Nation;if acceptable, authorize operation.

Implement security controls within enterprise architecture using sound

systems engineering practices; apply security configuration settings.

IMPLEMENT Security Controls

SELECT Security Controls

Select baseline security controls; apply tailoring guidance and

supplement controls as needed based on risk assessment.

8


Common Risk Management Process

NIST Special Publication 800-37, Revision 1

Guide for Applying the Risk Management Framework to Federal Information

Systems: A Security Life Cycle Approach

Developed by Joint Task Force Transformation Initiative Working Group Office of the Director of National Intelligence

Department of Defense

Committee on National Security Systems

National Institute of Standards and Technology

Final Public Draft (November 2009)

9


Purpose

Provide guidelines for applying the Risk Management Framework to federal information systems—

To ensure that managing risk from information systems is consistent with mission/business objectives and the overall risk strategy established by the senior leadership through the risk executive (function).

To ensure that information security requirements, including necessary security controls, are integrated into the organization’s enterprise architecture and system development life cycle processes.

To support consistent, well-informed, and ongoing security authorization decisions (through continuous monitoring), transparency of security and risk-related information, and reciprocity of authorization results.

To achieve more secure information and information systems through the implementation of appropriate risk mitigation strategies.

10


Applicability

Federal information systems other than those systems designated as national security systems as defined in 44 U.S.C., Section 3542.

National security systems with the approval of federal officials exercising policy authority over such systems.

State, local, and tribal governments, as well as private sector organizations are encouraged to consider using these guidelines, as appropriate.

11


Target Audience

Individuals with mission/business ownership responsibilities or fiduciary responsibilities.

Individuals with information system development and integration responsibilities.

Individuals with information system and/or security management/oversight responsibilities.

Individuals with information system and security control assessment and monitoring responsibilities.

Individuals with information security implementation and operational responsibilities.

12


Characteristics of RMF-Based Process(1 of 3)

Promotes near real-time risk management and ongoing system authorization through the implementation of robust continuous monitoring processes.

Integrates information security more closely into the enterprise architecture and system development life cycle.

Provides equal emphasis on the security control selection, implementation, assessment, and monitoring, and the authorization of information systems.

13



Links risk management processes at the information system level to risk management processes at the organization level through a risk executive (function).

Establishes responsibility and accountability for security controls deployed within organizational information systems and inherited by those systems.

14



Encourages the use of automation to:

Increase consistency, effectiveness, and timeliness of security control implementation and functionality; and

Provide senior leaders the necessary information to take credible, risk-based decisions with regard to the information systems supporting their core missions and business functions.

15


The Fundamentals

16


Mainstreaming Information Security

Information security requirements must be considered first order requirements and are critical to mission and business success.

An effective organization-wide information security program helps to ensure that security considerations are specifically addressed in the enterprise architecturefor the organization and are integrated early into the system development life cycle.

17


System Development Life Cycle(1 of 2)

RMF steps are carried out within the five phases of the SDLC.

System Initiation Phase

System Development / Acquisition Phase

System Implementation Phase

System Operations / Maintenance Phase

System Disposal Phase

Flexibility on types of SDLC models employed by the organization (e.g., spiral, waterfall, agile development).

18


System Development Life Cycle(2 of 2)

Integrating information security requirements into the SDLC provides the most efficient and cost-effective method for an organization to ensure that:

Cost, schedule, and performance requirements are satisfied.

Missions and business operations supported by the information system are adequately protected.

Security-related activities are carried out as early as possible and not repeated unnecessarily.

Risk management activities are not isolated or decoupled from the management processes employed to develop, implement, operate, and maintain the information system.

19


Applying the Risk Management Framework to Information Systems

20

Risk ManagementFramework

Near Real Time Security

Status Information

Output from Automated

Support Tools

Authorization

Package

SECURITY PLAN

including updated Risk Assessment

SECURITY ASSESSMENT

REPORT

PLAN OF ACTION AND

MILESTONES

INFORMATION SYSTEM

CATEGORIZEInformation System

ASSESSSecurity Controls

AUTHORIZEInformation System

IMPLEMENTSecurity Controls

MONITORSecurity Controls

SELECTSecurity Controls

Risk Executive

(Function) Inputs


Information System Boundaries

Define the scope of protection for information systems (i.e., what the organization agrees to protect under its direct control or within the scope of its responsibilities).

Include the people, processes, and technologies that are part of the systems supporting the organization’s missions and business processes.

Need to be established before information system security categorization and the development of security plans.

21


Large and Complex Systems

From a centralized development, implementation, and operations perspective— The organization examines the purpose of the information system and

considers the feasibility of decomposing the complex system into more manageable components, or subsystems.

From a distributed development, implementation, and operations perspective— The organization recognizes that multiple entities, possibly operating

under different policies, may be contributing to the development, implementation, and/or operations of the subsystems that comprise the overall information system.

22


Large and Complex Systems(Including System of Systems)

- Security plan reflects information system decomposition with security controls

assigned to each subsystem component.

- Security assessment procedures tailored for the security controls in each subsystem

component and for the combined system level.

- Security control assessment performed on each subsystem component and on

system-level controls not covered by subsystem security control assessments.

- Security authorization conducted on the information system as a whole.

ORGANIZATIONAL INFORMATION SYSTEM

DYNAMIC EXTERNAL

SUBSYSTEM

SUBSYSTEM

LAN ONESUBSYSTEM

LAN TWO

SUBSYSTEM

GUARD

SUBSYSTEM

GUARD / GATEWAY

DYNAMIC SUBSYSTEM

STATIC EXTERNAL

SUBSYSTEM

DYNAMIC SUBSYSTEM

(Sub) System Boundary

23


Security Control Allocation

Security controls are defined to be system-specific, hybrid, or common.

Security controls are allocated to specific components of organizational information systems as system-specific, hybrid, or common controls.

Security control allocations are consistent with the organization’s enterprise architecture and information security architecture.

24


Security Control Accountability

Strategic Risk Management

Focus

Tactical Risk Management

Focus

Top Level Risk Management

Strategy Informs

Operational Elements

Enterprise-Wide

Security

Assessment

Report

Security

Plan

Plan of Action

and Milestones

Security

Assessment

Report

Plan of Action and

MilestonesSecurity

Plan

Core Missions / Business Processes

Security Requirements

Policy Guidance

RISK EXECUTIVE FUNCTIONOrganization-wide Risk Governance and Oversight

Security

Assessment

Report

Security

Plan

Plan of Action

and Milestones

INFORMATION

SYSTEM

System-specific

Controls

On

go

ing

Au

tho

riza

tio

n D

ecis

ion

s

On

go

ing

Au

tho

riza

tio

n D

ecis

ion

s

Ongoing Authorization Decisions

RISK

MANAGEMENT

FRAMEWORK

(RMF)

COMMON CONTROLS

Security Controls Inherited by Organizational Information Systems

Hyb

rid

Co

ntr

ols

INFORMATION

SYSTEM

System-specific

Controls

Hyb

rid

Co

ntr

ols

25


The Process

26


RMF Task Structure(1 of 2)

Task Section Describes the specific RMF task within the appropriate step in the Risk

Management Framework.

Primary Responsibility Section Lists the individual or group within the organization having primary responsibility for

executing the RMF task.

Supporting Roles Section Lists the supporting roles within the organization that may be necessary to help the

individual or group with primary responsibility for executing the RMF task.

SDLC Phase Section Lists the particular phase of the SDLC when the RMF task is typically executed.

27


RMF Task Structure(2 of 2)

Supplemental Guidance Section Provides supplemental guidance for executing the RMF task including additional

information from relevant supporting security policies, instructions, standards, and guidelines.

References Section Provides general references to NIST security standards and guidelines that should

be consulted for additional information with regard to executing the RMF task.

Provides specific national security system references to CNSS policies and instructions that should be consulted for additional information with regard to executing the RMF task when the general references are either insufficient or inappropriate for national security application.

28


RMF Step 1 Tasks

Security Categorization

Task 1-1: Categorize the information system and document the results of the security categorization in the security plan.

Information System Description

Task 1-2: Describe the information system (including system boundary) and document the description in the security plan.

Information System Registration

Task 1-3: Register the information system with appropriate organizational program/management offices.

RMF Step 1: Categorize Information System

29


Milestone Checkpoint #1

Has the organization completed a security categorization of the information

system including the information to be processed, stored, and transmitted by

the system?

Are the results of the security categorization process for the information

system consistent with the organization’s enterprise architecture and

commitment to protecting organizational mission/business processes?

Do the results of the security categorization process reflect the organization’s

risk management strategy?

Has the organization adequately described the characteristics of the

information system?

Has the organization registered the information system for purposes of

management, accountability, and oversight?

30


RMF Step 2 Tasks(1 of 2)

Security Control Selection

Task 2-1: Select the security controls for the information system and document the controls in the security plan.

Common Control Identification

Task 2-2: Identify the security controls that are provided by the organization as common controls for organizational information systems and document the controls in a security plan (or equivalent document).

RMF Step 2: Select Security Controls

31



Monitoring Strategy

Task 2-3: Develop a strategy for the continuous monitoring of security control effectiveness and any proposed/actual changes to the information system and its environment of operation.

Security Plan Approval

Task 2-4: Review and approve the security plan.

RMF Step 2: Select Security Controls

32


Milestone Checkpoint #2(1 of 2)

Has the organization allocated all security controls to the information system

as system-specific, hybrid, or common controls?

Has the organization identified authorizing officials for the information

system and all common controls inherited by the system?

Has the organization tailored and supplemented the baseline security

controls to ensure that the controls, if implemented, adequately mitigate risks

to organizational operations and assets, individuals, other organizations, and

the Nation?

Has the organization addressed minimum assurance requirements for the

security controls employed within and inherited by the information system?

33



Has the organization approved the security control baseline for the common

controls inherited by the information system?

Has the organization supplemented the common controls with system-

specific or hybrid controls when the security control baselines of the common

controls are less than those of the information system inheriting the controls?

Has the organization developed a continuous monitoring strategy for the

information system that reflects the organizational risk management strategy

and commitment to protecting critical missions and business functions?

Have appropriate organizational officials approved security plans containing

system-specific, hybrid, and common controls?

34


RMF Step 3 Tasks

Security Control Implementation

Task 3-1: Implement the security controls specified in the security plan.

Security Control Documentation

Task 3-2: Document the security control implementation, as appropriate, in the security plan, providing a functional description of the control implementation (including planned inputs, expected behavior, and expected outputs).

RMF Step 3: Implement Security Controls

35



Has the organization allocated security controls as system-specific, hybrid, or

common controls consistent with the enterprise architecture and information

security architecture?

Has the organization demonstrated the use of sound information system and

security engineering methodologies in integrating information technology

products into the information system and in implementing the security controls

contained in the security plan?

Has the organization documented how common controls inherited by

organizational information systems have been implemented?

36



Has the organization documented how system-specific and hybrid security

controls have been implemented within the information system taking into

account specific technologies and platform dependencies?

Has the organization taken into account the minimum assurance

requirements when implementing security controls?

37


RMF Step 4 Tasks

Assessment Preparation

Task 4-1: Develop, review, and approve a plan to assess the security controls.

Security Control Assessment

Task 4-2: Assess the security controls in accordance with the assessment procedures defined in the security assessment plan.

Security Assessment Report

Task 4-3: Prepare the security assessment report documenting the issues, findings, and recommendations from the security control assessment.

RMF Step 4: Assess Security Controls

38



Has the organization developed a comprehensive plan to assess the security

controls employed within or inherited by the information system?

Was the assessment plan reviewed and approved by appropriate

organizational officials?

Has the organization considered the appropriate level of assessor

independence for the security control assessment?

Has the organization provided all of the essential supporting assessment-

related materials needed by the assessor(s) to conduct an effective security

control assessment?

39



Did the assessor(s) complete the security control assessment in

accordance with the stated assessment plan?

Did the organization receive the completed security assessment report with

appropriate findings and recommendations from the assessor(s)?

40



Remediation Actions

Task 5-1: Conduct initial remediation actions based on the findings and recommendations of the security assessment report.

Plan of Action and Milestones

Task 5-2: Prepare the plan of action and milestones based on the findings and recommendations of the security assessment report excluding any remediation actions taken.

Security Authorization Package

Task 5-3: Assemble the security authorization package and submit the package to the authorizing official for adjudication.

RMF Step 5: Authorize Information System

41



Risk Determination

Task 5-4: Determine the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation.

Risk Acceptance

Task 5-5: Determine if the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation is acceptable.

RMF Step 5: Authorize Information System

42



Did the organization take the necessary remediation actions to address the

most important weaknesses and deficiencies in the information system and its

environment of operation based on the findings and recommendations in the

security assessment report?

Did the organization update appropriate security plans based on the findings

and recommendations in the security assessment report and any subsequent

changes to the information system and its environment of operation?

Did the organization develop a plan of action and milestones reflecting

organizational priorities for addressing the remaining weaknesses and

deficiencies in the information system and its environment of operation?

43



Did the final risk determination and risk acceptance by the authorizing

official reflect the risk management strategy developed by the organization

and conveyed by the risk executive (function)?

• Was the authorization decision conveyed to appropriate organizational

personnel including information system owners and common control

providers?

44



Information System and Environment Changes

Task 6-1: Determine the security impact of proposed or actual changes to the information system and its environment of operation.

Ongoing Security Control Assessments

Task 6-2: Assess a selected subset of the technical, management, and operational security controls employed within and inherited by the information system in accordance with the organization-defined monitoring strategy.

Ongoing Remediation Actions

Task 6-3: Conduct selected remediation actions based on the results of ongoing monitoring activities and the outstanding items in the plan of action and milestones.

RMF Step 6: Monitor Security Controls

45



Critical Updates

Task 6-4: Update the security plan, security assessment report, and plan of action and milestones based on the results of the continuous monitoring process.

Security Status Reporting

Task 6-5: Report the security status of the information system (including the effectiveness of security controls employed within and inherited by the system), to appropriate organizational officials on an ongoing basis in accordance with the organization-defined monitoring strategy.


46



Ongoing Risk Determination and Acceptance

Task 6-6: Review the reported security status of the information system (including the effectiveness of security controls employed within and inherited by the system) on an ongoing basis in accordance with the monitoring strategy to determine whether the risk to organizational operations, organizational assets, individuals, other organizations, or the Nation remains acceptable.

Information System Removal and Decommissioning

Task 6-7: Implement an information system decommissioning strategy, when needed, which executes required actions when a system is removed from service.


47



Is the organization effectively monitoring changes to the information system

and its environment of operation including the effectiveness of deployed

security controls in accordance with the continuous monitoring strategy?

Is the organization effectively analyzing the security impacts of identified

changes to the information system and its environment of operation?

Is the organization conducting ongoing assessments of security controls in

accordance with the monitoring strategy?

Is the organization taking the necessary remediation actions on an ongoing

basis to address identified weaknesses and deficiencies in the information

system and its environment of operation?

48



Does the organization have an effective process in place to report the

security status of the information system and its environment of operation to

the authorizing officials and other designated senior leaders within the

organization on an ongoing basis?

Is the organization updating key risk management documents based on

ongoing monitoring activities?

Are authorizing officials conducting ongoing security authorizations by

employing effective continuous monitoring activities and communicating

updated risk determination and acceptance decisions to information system

owners and common control providers?

49


Summary

50


Supporting Appendices

References

Glossary

Acronyms

Roles and Responsibilities

Summary of RMF Tasks

Security Authorization

Continuous Monitoring

Operational Scenarios

Security Controls in External Environments

51


Recognition of Authorization Results

Determining risk to the organization’s

operations and assets, individuals, other

organizations, and the Nation; and the

acceptability of such risk.

The objective is to achieve transparency of prospective partner’s information security

authorization processes…establishing trust relationships based on common, shared

risk management principles.

Organization One

INFORMATION

SYSTEM



Security Plan

Business / Mission

Information Flow

Security Authorization

Information



Security Plan

Organization Two

INFORMATION

SYSTEM

Determining risk to the organization’s

operations and assets, individuals, other

organizations, and the Nation; and the

acceptability of such risk.

52


Milestone Schedule

NIST Special Publication 800-37, Revision 1Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

Initial Public Draft: August 2008

Final Public Draft: November 2009

Final Publication: February 2010

Download Publication from NIST Web Sitehttp://csrc.nist.gov/publications/PubsDrafts.html

Comments (November 17 through December 31, 2009)

[email protected]

53


Contact Information

100 Bureau Drive Mailstop 8930

Gaithersburg, MD USA 20899-8930

Project Leader Administrative Support

Dr. Ron Ross Peggy Himes

(301) 975-5390 (301) 975-2489

[email protected] [email protected]

Senior Information Security Researchers and Technical Support

Marianne Swanson Kelley Dempsey

(301) 975-3293 (301) 975-2827


Pat Toth Arnold Johnson

(301) 975-5140 (301) 975-3247


Web: csrc.nist.gov/sec-cert Comments: [email protected]

54

nist sp 800-37, revision 1 - security conference, … tier 3 information system (environment of...

Documents